Rust supply-chain

Open-source Rust projects categorized as supply-chain

Top 6 Rust supply-chain Projects

supply-chain
  • rebuilderd

    Independent verification of binary packages - reproducible builds

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • cackle

    A code ACL checker for Rust

    Project mention: Rewriting Rust | news.ycombinator.com | 2024-09-25

    > Sandboxing against malicious crates is an out-of-scope problem. You can't do this at the language level; you need some combination of a verifier and runtime sandbox. WebAssembly components are a much more likely solution here. But there's lots of interest in having capabilities for other reasons, for things like "what allocator should I use" or "what async runtime should I use" or "can I assume the platform is 64-bit" or similar. And we do want sandboxing of things like proc macros, not because of malice but to allow accurate caching that knows everything the proc macro depends on - with a sandbox, you know (for instance) exactly what files the proc macro read, so you can avoid re-running it if those files haven't changed.

    We've had a lot of talk about sandboxing of proc-macros and build scripts. Of course, more declarative macros, delegating `-sys` crate logic to a shared library, and `cfg(version)` / `cfg(accessible)` will remove a lot of the need for user versions of these. However, that all ignores runtime. The more I think about it, the more cackle's "ACLs" [0] seem like the way to go as a way for extensible tracking of operations and auditing their use in your dependency tree, whether through a proc-macro, a build script, or runtime code.

    I heard that `cargo-redpen` is developing into a tool to audit calls though I'm imagining something higher level like cackle.

    [0]: https://github.com/cackle-rs/cackle

  • cli

    Command line interface for the Phylum API (by phylum-dev)

    Project mention: Ledger's NPM account has been hacked | news.ycombinator.com | 2023-12-14

    Co-funder @ Phylum here (https://phylum.io) We have been actively scanning dependencies across npm (and PyPI, RubyGems, Crates.io, etc.) for nearly three years now; quite successfully, I might add (https://blog.phylum.io/tag/research/). We _automatically_ hit on this package when it was published, and our research team has been all over it.

    A collective of us are active in Discord (https://discord.gg/Fe6pr5eW6p), continuing to hunt attacks like these. If that's something that interests you, we'd love to have you!

    In addition to this, we've released several open source tools to help protect against supply chain attacks:

    1. https://github.com/phylum-dev/birdcage - Birdcage is a cross-platform embeddable sandbox that's been baked into our CLI (which wraps npm, pypi, etc.) to sandbox package installations

    2. https://github.com/phylum-dev/cli - Our CLI provides an extension capability so you can lock down random executables you might use during your software development (define _what_ it's allowed to do, e.g. network access, and then lock it down with Birdcage)

    We also have a variety of integrations, including Github, Gitlab, BitBucket, CircleCI, Tines, Sophos, etc.

    https://docs.phylum.io/docs/integrations_overview

    It's unfortunate that software dependency attacks continue to plague open source registries. It seems unlikely this will let up in the near future. We are continuing to work closely with the open source ecosystems to try and get these sorts of packages removed when they pop up.

  • pacman-bintrans

    Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)

  • atom

    Atom is a novel intermediate representation for applications and a standalone tool that is powered by chen. (by AppThreat)

  • autovet

    Automated security testing for open source libraries and applications.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

Rust supply-chain discussion

Log in or Post with

Rust supply-chain related posts

  • Rust Malware Staged on Crates.io

    3 projects | news.ycombinator.com | 25 Aug 2023
  • Attackers Repurposing existing Python-based Malware for Distribution on NPM

    2 projects | /r/javascript | 19 Apr 2023
  • Attackers are hiding malware in minified packages distributed to NPM

    4 projects | /r/javascript | 30 Mar 2023
  • Spin 1.0 — The Developer Tool for Serverless WebAssembly

    17 projects | dev.to | 28 Mar 2023
  • Ransomware being published to PyPI in ongoing campaign

    2 projects | /r/Python | 9 Dec 2022
  • Automated security testing for open source libraries and applications. What do you think?

    1 project | /r/opensource | 18 Aug 2022
  • Pacman-bintrans – Experimental binary transparency for pacman via sigstore/rekor

    1 project | news.ycombinator.com | 23 May 2022
  • A note from our sponsor - SaaSHub
    www.saashub.com | 8 Dec 2024
    SaaSHub helps you find the best software and product alternatives Learn more →

Index

What are some of the best open-source supply-chain projects in Rust? This list will help you:

Project Stars
1 rebuilderd 358
2 cackle 206
3 cli 103
4 pacman-bintrans 83
5 atom 53
6 autovet 7

Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com

Did you konow that Rust is
the 5th most popular programming language
based on number of metions?